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1.  Executive  Summary 

This  report  describes  our  research  on  developing  and  applying  synthesis  technology  to  agent- 
based  systems  in  the  DARPA/AFRL  Control  of  Agent-Based  Systems  (COABS)  program.  Our 
technical  approach  is  based  on  specification  refinement  technology  which  allows  the  systematic 
machine-supported  development  of  software  from  requirement  specifications.  The  refinements 
embody  programming  knowledge  about  algorithms,  data  structures,  program  optimization  tech¬ 
niques,  etc.  The  result  of  the  refinement  process  is  executable  code  that  is  consistent  with  the 
problem  specification.  The  development  process  can  produce  highly  efficient  code  along  with  a 
proof  of  the  code's  correctness. 

The  initial  goal  of  the  project  was  to  develop  generic  tools  to  support  the  construction  of  soft¬ 
ware  agents  software,  in  particular  agents  that  provide  scheduling  and  resource  allocation  ser¬ 
vices.  In  the  second  part  of  the  project,  we  refocused  on  a  critical  aspect  of  coordinating  the  in¬ 
teraction  of  agents:  the  synthesis  of  glue-code  to  enable  agents  to  communicate  even  when  they 
expect  data  in  different  formats  and  at  different  levels  of  abstraction.  We  also  explored  the  syn¬ 
thesis  of  authentication  protocols  via  composition  mechanisms. 

We  obtained  technical  results  in  the  following  areas.  Alongside  each  topic  area,  we  list  the 
names  of  systems  that  we  built  to  implement  these  results. 

1 .  Generic  Synthesis  Frameworks  (Designware) 

2.  Synthesis  of  Scheduling  Agents  (Planware) 

3.  Synthesis  of  Authentication  Protocols 

4.  Formal  Metalevel  Specifications  (leading  to  MetaSlang) 

5.  Synthesis  of  Glue  Code  (glue-code  generator,  MIATA  TIE  contributions) 

Our  technical  results,  detailed  examples,  and  discussions  of  implemented  systems  are  docu¬ 
mented  in  1 1  publications  that  grew  out  of  the  work  on  this  project. 
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2.  Introduction 


This  final  report  summarizes  the  work  performed  by  Kestrel  Institute  on  the  project  "Agentware: 
Automated  Synthesis  of  Software  Agents",  Contract  No.  F30602-98-C-0169  under  the 
DARPA/AFRL  Control  of  Agent-Based  Systems  (COABS)  Program.  The  project  ran  from  30 
June  1998  through  30  September  2001. 

The  initial  goal  of  this  project  was  to  develop  generic  tools  to  support  the  construction  of  soft¬ 
ware  agents  software.  Our  technical  approach  is  based  on  specification  refinement  technology 
which  allows  the  systematic  machine-supported  development  of  software  from  requirement 
specifications.  The  refinements  embody  programming  knowledge  about  algorithms,  data  struc¬ 
tures,  program  optimization  techniques,  etc.  The  result  of  the  refinement  process  is  executable 
code  that  is  consistent  with  the  problem  specification.  The  development  process  can  produce 
highly  efficient  code  along  with  a  proof  of  the  code's  correctness.  The  proposal  and  early  part  of 
the  project  focused  on  technology  for  synthesizing  software  agents,  in  particular  agents  that  pro¬ 
vide  scheduling  and  resource  allocation  services. 

In  the  second  part  of  the  project  (in  coordination  with  DARPA  and  AFRL),  we  focused  on  a 
critical  aspect  of  coordinating  the  interaction  of  agents:  the  synthesis  of  glue-code  to  enable 
agents  to  communicate  even  when  they  expect  data  in  different  formats  and  at  different  levels  of 
abstraction.  We  also  explored  the  synthesis  of  authentication  protocols  via  composition  mecha¬ 
nisms. 

This  report  is  structured  as  follows.  Section  2  presents  an  overview  of  technical  results  obtained 
during  this  project.  Section  3  presents  our  results  on  synthesis  of  glue-code  in  more  detail.  Sec¬ 
tion  4  lists  the  publications  that  resulted  from  this  project. 

3.  Overview  of  Technical  Results 

3.1.  Synthesis  of  Scheduling  Agents 

Our  goals  for  this  project  were  to  explore  ideas  in  synthesizing  software  agents,  and  to  imple¬ 
ment  those  ideas  in  an  extension  of  Specware/Designware/Planware  systems  [18], [16],  [1].  We 
laid  out  the  following  tasks. 

1 .  Develop  Designware  infrastructure 

1.1.  Diagram  colimit  -  algorithm,  interface 

1.2.  Taxonomy  support  at  interface 

1.3.  Ladder  construction  interface 

1.4.  Interpretation  construction  interface 

■  propagation  rules 

■  support  for  unskolemization 

■  support  for  manual  definition 

■  for  connections  and  other  specialized  construction  methods 

2.  Develop  a  taxonomy  of  agent  architectures 

3.  Synthesize  a  scheduling  agent 

■  finish  CP  tactic 
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■  program  optimization  rules  (CD-simplify) 

■  spreadsheet  interface  development 

We  made  considerable  progress  in  the  development  of  the  Designware  framework,  as  reported  in 
[16].  We  accomplished  Tasks  1.1  through  1.4  above,  and  carried  out  a  variety  of  example  deri¬ 
vations.  We  faced  and  solved  a  number  of  technical  difficulties  along  the  way.  One  technical 
problem  concerned  the  use  of  diagrams  of  specifications  (i.e.  structured  specifications)  and  their 
colimits  (composition  of  structured  specifications).  In  essence,  our  first  implementation  did  not 
allow  certain  equalities  between  paths  to  be  preserved  in  the  colimit.  Technically  this  is  the 
problem  of  allowing  nonfree  shape  categories  underlying  the  diagrams.  We  solved  this  problem 
and  implemented  an  extension  to  the  diagram  operations  to  allow  nonfree  shapes.  Although 
quite  technical,  this  result  is  necessary  that  the  colimit  give  the  kind  of  result  expected  in  synthe¬ 
sis  applications. 

We  also  made  considerable  progress  on  Task  3  above  (Synthesize  a  scheduling  agent).  Our  goal 
was  to  create  a  scheduler  vending  agent  on  the  net.  An  agent  that  requires  scheduling  services 
interacts  with  the  scheduler  vendor,  supplying  the  necessary  problem-specific  detail,  and  then, 
after  appropriate  payment,  receives  a  scheduling  agent  together  with  the  necessary  data  transla¬ 
tors  (see  Section  3.4)  and  an  appropriate  GUI.  The  synthesis  of  GUI’s  would  probably  be  neces¬ 
sary  for  a  successful  vendor,  but  it  wasn’t  a  focus  of  this  project. 

The  key  to  creating  this  vending  agent  was  to  make  the  acquisition  of  scheduling  problem- 
specific  detail  as  simple  and  uniform  as  possible.  One  key  insight  was  our  discovery  that  all  of 
the  constraints  that  characterize  the  schedulers  that  we  have  developed  in  recent  years  have  a 
common  abstract  fonn,  technically  they  are  definite  constraints  over  a  semilattice  [15], [20].  This 
enabled  us  to  set  up  a  spreadsheet-like  interface  for  acquiring  the  essential  information  about 
scheduling  constraints.  The  formalism  allows  Planware  to  automatically  convert  the  spreadsheet 
entries  into  detailed  logical  constraints  without  the  purchasing  agent/user  needing  to  know  logic 
or  category  theory. 

We  reworked  the  abstract  scheduling  spec  (from  Planware)  to  allow  the  choice  of  resources  from 
a  taxonomic  library,  and  to  generate  task  refinements  based  on  input  from  the  spreadsheet-like 
interface.  We  developed  a  parser/linker  function  to  convert  spreadsheet  text  formulas  into  the 
internal  fonnat  used  by  the  underlying  Specware  system. 

We  developed  an  initial  version  of  the  spreadsheet  interface  in  the  scheduler  generator.  The  in¬ 
terface  allows  users  to  modify  the  default  entries  in  the  spreadsheet,  and  the  system  will  parse  the 
results,  and  create  appropriate  task  attributes  and  semilattices,  and  finally  a  fonnal  specification 
of  the  user’s  scheduling  problem.  This  allows  us  to  generate  large  specifications  (about  50  pages 
of  text)  from  a  simple  table  of  bounding  information  supplied  by  the  user.  In  previous  work  with 
KIDS,  the  user  had  to  write  this  large  specification  by  hand  prior  to  performing  synthesis. 

We  delivered  the  newest  version  of  Planware,  including  the  spreadsheet  interface,  to  AFRU  in 
June  1999  for  use  as  a  demo  system. 
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3.2.  Protocol  Synthesis 


The  project  supported  a  low-level  collaboration  with  Prof.  John  Mitchell  (Stanford  University) 
on  techniques  for  generating  correct  authentication  protocols  between  agents.  We  founded  our 
formalization  of  protocol  composition  on  the  concept  of  strand  spaces,  developed  at  MITRE.  A 
strand  is  a  sequence  of  events,  usually  communication  events,  and  they  are  connected  to  one  an¬ 
other  to  build  larger  strands,  ultimately  a  complete  protocol.  This  gives  a  clear  foundation  for 
protocol  composition.  We  deepened  that  formalism  by  defining  a  strand  category  with  arrows 
giving  the  interconnections  of  strands.  We  developed  a  logic  for  specifying  and  reasoning  about 
properties  of  strands  [5],  [4]. 

We  were  able  to  sketch  out  the  composition  of  a  simple  protocol,  the  famous  Needham- 
Schroeder-Lowe  authentication  protocol.  A  first  version  of  this  protocol  (called  Needham- 
Schroeder)  was  published  25  years  ago  and  was  found  to  be  flawed  after  15  years  of  use,  despite 
"proofs"  of  its  correctness.  Our  approach  yields  the  corrected  Needham-Schroeder-Lowe  proto¬ 
col  by  composition. 

3.3.  Meta-theories 

We  began  work  on  a  meta-theory  of  Specware  specs  to  capture  notions  of  expression  optimiza¬ 
tion  and  architecture  in  a  general  way  in  Designware.  This  is  crucial  foundational  work  for  syn¬ 
thesis  of  software  agents  because  agent  architectures  require  specification  at  the  meta-level  and, 
more  generally,  alot  of  software  design  knowledge  is  best  expressed  at  the  meta-level.  Architec¬ 
tures  are  defined  in  terms  of  components,  connectors,  and  system  invariants.  The  component 
interfaces  are  specified  (in  Specware)  via  formal  specifications.  The  architectural  structure  of 
component  interconnections  must  be  at  the  meta-level.  The  technical  report  [17]  helped  motivate 
the  redesign  of  the  Specware  language  and  resulted  in  the  MetaSlang  system  which  is  the  current 
foundation  of  all  work  at  Kestrel. 

3.4.  Synthesis  of  Glue  Code 

Through  discussions  with  MIATA  TIE  group  we  refocused  our  effort  on  glue  code  for  a  route 
generator.  The  idea  was  to  treat  the  AMC  CAMPS  Mission  Planner  (that  we  had  co-developed 
previously  with  BBN)  as  an  agent  that  requests  routing  services,  and  moreover,  to  treat  the  route 
generator  as  requiring  detailed  flight  duration  and  flight  path  services  for  a  given  aircraft,  flight 
leg,  and  departure  time.  A  great-circle-route  agent  and  CIRL's  WARP  would  provide  alternate 
agents  for  providing  these  services.  More  generally,  we  sought  to  explore  the  formal  derivation 
of  glue  code  that  translates  between  the  data  offered  by  one  agent  and  the  required  data  of  an¬ 
other.  We  worked  a  number  of  example  problems  drawn  from  the  CAMPS  airlift  scheduling 
domain[6]. 

We  made  significant  progress  on  formally  deriving  glue  code.  Here  are  the  key  ideas:  Given 
agent  A  that  produces  data  source  S,  and  agent  B  that  requires  data  T,  we  want  to  derive  glue 
code  f  such  that  f  (S)  =  T.  We  first  need  to  reconcile  the  semantics  of  agents  A  and  B  by  produc¬ 
ing  a  common  abstract  domain  theory  T.  The  derivation  of  f  takes  place  in  the  theory  formed  by 
unioning  the  theories  of  A  and  B  modulo  the  common  theory  T  —  technically  this  is  a  colimit  op¬ 
eration.  Given  this  setting,  we  found  we  could  readily  derive  f  by  interleaving  the  basic  steps  of  a 
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higher-order  matching  algorithm  with  application  of  domain-specific  theorems  as  necessary. 

The  result  is  a  data  translator  that  is  correct-by-construction. 

As  a  typical  example,  we  are  given  a  scheduling  agent  MP  that  produces  an  airlift  schedule  —  for 
each  aircraft,  the  schedule  gives  the  sequences  of  flights  that  it  makes.  We  also  have  an  agent 
CM  that  requires  what  is  known  as  a  commitment  matrix  —  the  number  and  type  of  aircraft  that 
are  committed  (i.e.  not  free  for  allocation)  over  time.  The  problem  is  to  derive  a  translator/ from 
schedules  to  commitment  matrices.  This  problem  has  features  of  translation  and  summarization 
of  data. 

There  are  two  key  steps  in  formalizing  the  problem  so  that  it  admits  a  rigorous  and  general  solu¬ 
tion  method.  First,  there  must  be  a  shared  language/theory  in  which  both  MP  and  CM  can  be 
described  and  their  shared  ontology  made  explicit.  One  approach  is  to  develop  an  abstract  com¬ 
mon  theory  of  the  domain,  which  is  airlift  scheduling  (AS)  here.  Next,  theories  for  MP  and  CM 
are  developed  as  extensions  of  AS  where  the  schedule  and  commitment  matrix  datatypes  are  ex¬ 
pressed  in  tenns  of  the  language  of  AS.  The  problem  of  translating  from  schedule  to  commit¬ 
ment  matrix  datatypes  is  expressed  in  the  pushout  (shared  union)  of  these  theories. 

Second,  the  translation  problem  can  be  treated  as  solving  a  higher-order  equation.  For  example, 
if  S'  is  a  tenn  constructing  an  MP  schedule  and  T  is  a  term  constructing  a  CM  commitment  ma¬ 
trix,  then  we  want  to  construct  a  translator/ satisfying: /(S)  =  T.  Given  this  formulation,  one 
would  expect  that  standard  equational  reasoning  would  apply  to  solve  for /  Instead  we  found  it 
more  effective  to  interleave  the  basic  steps  of  higher-order  matching  and  the  application  of  do¬ 
main-specific  laws. 

The  glue-code  subgroup  of  Miata  (Mark  Burstein,  Drew  McDermott,  Doug  Smith  and  Stephen 
Westfold)  investigated  glue-code  synthesis  and  produced  several  publications  [3],  [2],  At  Kestrel 
we  implemented  a  higher-order  matcher  and  a  simple  version  of  the  glue-code  generator. 

3.5.  MIATA  Technology  Integration  Experiment 

Our  participation  in  the  MIATA  TIE  initially  suggested  the  need  to  focus  on  glue-code  synthesis. 
We  implemented  a  higher-order  matcher  and  a  version  of  the  glue-code  generator  that  runs  on 
the  Specware  2000  system  (which  runs  on  Windows,  Linux,  and  Solaris  platfonns).  We  ran  nu¬ 
merous  examples  through  the  generator,  leading  to  improvements  in  the  higher-order  matcher 
and  the  tactical  control  of  the  generator.  Dr  Westfold  demonstrated  the  glue-code  generator  as 
part  of  the  Miata  TIE  during  the  August  2000  COABS  meeting. 

4.  Synthesis  of  Glue  Code 

Glue-code  addresses  the  problem  of  getting  agents  to  communicate  with  each  other.  By  "agent" 
we  mean  programs  that  operate  at  a  high  enough  semantic  level  that  they  can  form  new  connec¬ 
tions  to  other  programs  in  order  to  get  a  job  done.  To  make  such  a  connection,  an  agent  must 
find  other  agents  that  might  carry  out  a  task  on  its  behalf,  and  then  establish  a  dialogue  with 
them.  Several  researchers  have  examined  facets  of  this  interchange,  including  how  agents  might 
search  for  each  other  [19],  how  they  might  communicate  once  they  have  linked  [12],  and  what 
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"speech  acts"  they  might  employ  [7].  However,  the  most  pressing  problem  is  getting  them  to 
speak  the  same  language.  This  is  our  focus  here. 

Suppose  one  agent,  A,  needs  a  certain  fact,  and  agent  B  can  supply  it.  Assuming  that  some  previ¬ 
ous  "brokering"  or  "advertising"  phase  has  brought  the  two  agents  together,  there  remains  the 
problem  that  the  way  A  represents  facts  and  the  way  B  represents  them  are  probably  not  com¬ 
patible.  It  is  necessary  to  interpose  a  translation  program  between  the  two.  We  call  this  glue 
code.  The  problem  is  to  generate  glue  code  automatically. 

For  example,  suppose  we  are  given  a  scheduling  agent  S  that  produces  an  airlift  schedule.  For 
each  aircraft,  the  schedule  gives  the  sequence  of  flights  that  it  is  scheduled  to  make.  We  also 
have  an  agent  R  that  maintains  what  is  known  as  a  "commitment  matrix,"  a  table  that  specifies, 
for  each  time  slot,  the  number  of  each  type  of  aircraft  that  are  committed  to  scheduled  flights  (i.e. 
not  free  for  allocation)  in  that  time  slot.  The  problem  is  to  derive  a  translator/ from  schedules  to 
commitment  matrices,  so  that  R  is  able  to  accept  the  infonnation  derived  from  the  scheduler  ac¬ 
cording  to  its  declared  input  specification  format  (API). 

Some  commonly  considered  approaches  to  this  problem  are  to: 

•  Engineer  the  agents  to  be  compatible  in  advance  by  changing  one  or  the  other  to  accept  or 
generate  the  form  required  by  the  other. 

•  Attempt  to  develop  a  "general  purpose"  translation  agent  that  will  convert  all  messages 
that  can  be  produced  by  agents  using  one  semantic  model  or  ontology  into  equivalent 
messages  using  a  second  ontology,  to  the  extent  that  translations  between  those  ontolo¬ 
gies  are  well  defined. 

We  are  developing  a  third  approach,  namely,  to  submit  the  specification  of  the  source  and  target 
messages  to  an  agent  that  produces  a  very  specific  translator  for  that  purpose.  This  has  the  po¬ 
tential  advantage  of  being  much  more  efficient  if  similar  messages  will  be  sent  frequently  once 
the  agents  have  been  "introduced",  or  when  the  data  to  be  passed  in  a  single  message  contains  a 
large  number  of  similar  forms. 

This  approach  to  the  problem  can  be  considered,  as  a  form  of  the  automatic  programming  prob¬ 
lem,  but  one  that  we  believe  is  simpler  than  the  general  case.  It  "feels  like”  an  exercise  in  mov¬ 
ing  data  around,  with  a  bit  of  condensing,  summarization,  and  totaling  thrown  in.  On  the  other 
hand,  problems  like  this  one  are  not  trivial.  The  reader  may  wish  to  stop  and  try  to  produce  the 
glue  code  for  S  and  R  by  hand. 

In  what  follows,  we  will  describe  our  framework,  and  illustrate  with  several  examples.  Al¬ 
though,  we  do  not  have  a  full  implementation  of  our  approach  as  yet,  we  have  developed  several 
prototypes  that  can  handle  a  variety  of  examples  like  those  described  in  this  paper.  At  the  end  of 
the  paper,  we  will  talk  about  opportunities  and  challenges  in  automating  the  process  more  fully, 
and  in  applying  it  in  a  distributed  agent  environment. 

In  addition  to  the  agent-communication  work  we  mentioned  at  the  outset,  much  work  has  been 
done  by  the  database  community  on  the  problem  of  translating  between  databases,  where  it  is 
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called  the  problem  of  schema  in  tegration,  with  subproblems  of  query  translation  and  value 
translation.  [14], [10], [8], [13].  The  main  differences  are: 

1 .  Database  researchers  assume  that  the  main  problem  is  to  translate  queries  (and  their  re¬ 
sults)  from  one  formalism  to  another.  Queries  are  written  in  a  standard  language  such  as 
SQL  [9],  and  the  only  issue  is  how  the  relation  and  argument  names  are  mapped.  We 
want  to  be  able  to  translate  an  arbitrary  formula  (or  functional  expression)  from  one  for¬ 
malism  to  the  other. 

2.  Database  researchers  assume  that  the  results  of  a  query  are  tables  in  a  standard  format. 
Hence  if  you  can  find  a  translation  of  a  query  you  automatically  can  translate  the  result. 
We  will  tackle  the  more  general  case  of  automatically  generating  data-structure- 
translation  code  given  expressions  that  describe  what  one  agent  wants  and  what  another 
can  produce. 

4.1.  The  Setting 

The  common  theory  of  the  application  domain  provides  symbols  for  the  concepts,  operations, 
and  properties,  relationships,  etc.  in  the  domain.  Its  axioms  constrain  the  meaning  of  the  vocabu¬ 
lary.  For  example,  suppose  that  we  have  an  abstract  database  of  persons  P  :  set(Person)  where 
each  Person  has  a  name :  Person  — >  string,  id  :  Person  — >  nat,  age:  Person  — >  nat,  and  other  at¬ 
tributes. 

Our  example  supposes  that  this  abstract  database  has  two  somewhat  different  realizations:  S  and 
T.  To  express  the  realization  relation  it  is  convenient  to  use  the  following  notation  which  lifts 
value  tupling  to  function  tupling:  for  f:  A  — >  Bu...,fn:  A  — >  Ba,  the  function  <fu...,fn ):  A 
Zfx...x  p  satisfies  the  tupling-r eduction  law 

(a)  =  (/](a),...,/„(a)> 

Using  the  function  tupling  notation,  the  source  database  S  is 

S  =  image(  {name,  id,  age) ,  P) 

and  the  target  database  that  we  want  to  build  from  S  is 

T  =  image(  (  name,  /.(pv)  if  age{pv)  >30  then  id(pv)  else  0) ,  P) 

Formally,  we  want  to  translate  from  dataset  S  and  dataset  T  (without  reference  to  P)  by  solving 
the  higher-order  equation  /(S^r 

4.2.  Inference  Rules 

The  following  rules  correspond  to  the  basic  steps  of  a  second-order  matching  algorithm  [11]. 

Imitation  Rule 
for  any / :  A  — >C 

and  g:  Btx...x  B„  —>  C  where  Bt  is  not  a  function  type 
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and  hi'.  A—*  B,  for  1  <  i  <  n, 
Au)=g(y i,...,  v„) 


fix)  =  §(■  ■  ■  -  h,{x), . . .)  A  h(u)  =  v,  for  1  <  i  <  n 

Projection  Rule 
for  any  f:Al  x . . .  x  Am  — »C 
and  g:  Btx . . .  x  B„  — >  A,  for  some  1  <  i  <  m, 

fich,...,  am)  =  g(bu...,  b„) 


fix =  x,  a  a,  =  g(bu...,b„) 

The  terms  "imitation"  and  "projection"  are  standard  in  the  matching  and  unification  literature. 
Here  we  fonnulate  them  as  inference  rules  to  be  used  in  a  backward  inference  mode.  It  can  be 
easily  seen  that  they  follow  from  universal  instantiation  and  equality  substitution  rules.  We  also 
use  the  usual  rules  for  handling  equalities  and  equivalences,  and  the  basic  rules  of  the  lambda 
calculus:  a,  (3,  and  q-reduction.  The  following  law  is  useful  for  the  backward  chaining-style  of 
proof  that  we  adopt. 

Image  Decomposition  Law 

for  any  g  :  A  -+B, 

and  h  :  A  — >C, 

and / :  set (B)  —>  set(C), 

and  i :  B  — >C, 

fiimage{g,  As))  =  image(h,  As) 
fiBs)  =  image(i,  Bs)  a  i(g(x))  =  fix) 

4.3.  Simple  Example  --  Translating  between  Personnel  Databases 

Suppose  that  we  have  an  agent  that  offers  personnel  database  services,  in  particular  it  provides 

S  =  image({name,  id,  age) ,  P) 


and  another  agent  requires 

T  =  image(  (  name,  /-ipv)  if  age(pv)  >30  then  id(pv)  else  0) ,  P) 

The  problem  is  to  calculate/ such  that  /(k)  =  T: 

fiimage(  (  name,  id,  age) ,  P))  =  image(  (  name,  X(pv)  if  age(pv)  >  30  then  id(pv)  else  0) ,  P) 

<=  using  Image  Decomposition  with 
{g  I - *■(  name,  id,  age) , 

h  I - *  (  name,  fipv)  if  age(pv)  >  30  then  id(pv)  else  0) 
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j(X)  =  image  (i,  X) 

a  i(  {name,  id,  age)  ip))  =  (  name,  Mpv)  if  age(pv)  >  30  then  id(pv)  else  0)  (p) 


<  >  The  first  conjunct  ion  provides  a  substitution/definition  for  f 

and  tupling-reduction  is  applied  to  the  second  conjunct 

i(name(p),  id(p),  age(p))  =  ( name(p ),  if  age(p)  >  30  then  id(p )  else  0  ) 

<=  Imitation  with  {g  | - *  X  (x,  y)  (x,  y)} 

i(n,  i,  a)  =  (i\  (n,  i,  a),  h  (n,  i,  a)  ) 

a  i\  ( nameip ),  id(p),  age(p))  =  name(p ) 

a  h  (nameip),  idip ),  age(p))  =  if  age(p)  >  30  then  id(p)  else  0 

Again,  the  first  conjunct  ion  provides  a  substitution/definition  for  i, 
and  projection  solves  for  /,,  Imitation  for  i2 

i(n,  i,  a)  =  n  A  name(p)  =  name(p) 

a  i2  ( n ,  i,  a)  =  if  h  \  (n,  i,  a)  then  hi  (n,  i,  a)  else  in  (n,  i,  a) 
a  in  ( nameip ),  id(p),  age(p))  =  age(p)  >  30 
a  in  (nameip),  id(p),  age(p))  =  id(p) 
a  in  (nameip),  id(p),  age(p))  =  0 

The  rest  of  the  derivation  is  straightforward  application  of  imitation  and  projection.  Summing  up, 
we  have  constructed  the  functions 

f(X)  =  image(  i,  X) 

i(n,  i,  a)  =  <  i\  (n,  i,  a),  h  (n,  i,  a) ) 

i\  (n,  i,  a)  =  n 

h  (n,  i,  a)  =  if  in  (n,  i,  a)  then  in  (n,  i,  a)  else  in  (n,  i,  a) 

After  unfolding  the  definitions  below/  we  get  the  translation  code 

T  =  f(S)  =  image(X((n,  i,  a)  )  (n,  if  a  >  30  then  i  else  0) ,  Sj. 

This  example  is  typical  of  our  derivations  in  that  mostly  matching  rules  are  applied,  with  some 
law  applications  interspersed. 

4.4.  Summary 

Other,  more  complex,  examples  that  we  have  solved  in  this  manner  include 

•  translating  an  aircraft  schedule  to  a  commitment  matrix 

•  translate  a  mission  database  to  a  list  of  flights  for  each  aircraft 
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•  given  flight  data  and  cargo  data,  construct  a  manifest  list  for  each  flight 

•  translating  from  cargo  weight  expressed  in  terms  of  cargo  classes  to  cargo  weight  ex¬ 
pressed  in  terms  of  individual  objects  (this  problem  addressed  the  issue  of  conceptual 
mismatch  and  possibly  conflicting  assumptions). 

These  examples,  and  many  others,  are  currently  working  in  the  glue-code  generator  built  by  Dr. 
Westfold  in  the  Specware/Designware  system  [18], [16]. 
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California,  October,  1998,  270—280. 
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Nancy  Durgin  and  John  C.  Mitchell  and  Dusko  Pavlovic,  A  compositional  logic  for  protocol  cor¬ 
rectness,  in  Proceedings  of  Computer  Security  Foundations  Workshop  2001,  Ed.S.  Schneider, 
200 1  (ftp://ftp.kestrel.edu/pub/papers/pavlovic/CLPC.ps.gz). 

Westfold,  S.J.  and  Smith,  D.R.,  Synthesis  of  Efficient  Constraint  Satisfaction  Programs,  Knowl¬ 
edge  Engineering  Review  16(1),  Special  Issue  on  AI  and  OR,  2001,  69-84. 
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